When installing NixOS in the target filesystem /mnt, paths relative to
configuration.nix in `initrd.secrets` are turned by Nix into absolute
paths that reference /mnt. While building the system derivation works,
installing the bootloader fails because the latter process takes place
inside the chroot environment where /mnt does not exist.
Ideally, we would also build the system within chroot, but this greatly
complicates the matter as it requires manually copying over Nix, its
runtime dependencies and all channels. Possibly, this would also break
several assumptions users have about how nixos-install works.
A simpler and safer (but less neat) solution is to temporarily bind
mount all mount points in /mnt under /mnt/mnt to keep the paths
functional while the bootloader is being installed.
This is essentially the workaround described in issue #73404.
Due to missing `/etc/machine-id` in the new root, systemd-tmpfiles
outputs a bunch of scary warnings like "Failed to replace specifiers in
'/run/log/journal/%m'". We only care about /tmp, so hide them.
`-E` is an alias for `--exclude-prefix=/dev --exclude-prefix=/proc
--exclude-prefix=/run --exclude-prefix=/sys`.
Support for ZFS, while desirable, is problematic with newer kernel
releases. The stable ZFS release seldom supports the current newest
kernel version, and this makes the new_kernel image basically useless as
it cannot be published, and is not often built with new kernel releases.
This uses a dirty workaround to work around the fact it is impossible to
remove a list item from a modules system list type. Since ZFS support is
conditional to being supported on the current platform, we can fake ZFS
not being supported *for the no-zfs build only*. This overlay is only
added when evaluating the image, nothing else.
Support for ZFS, while desirable, is problematic with newer kernel
releases. The stable ZFS release seldom supports the current newest
kernel version, and this makes the new_kernel iso basically useless as
it cannot be published, and is not often built with new kernel releases.
This uses a dirty workaround to work around the fact it is impossible to
remove a list item from a modules system list type. Since ZFS support is
conditional to being supported on the current platform, we can fake ZFS
not being supported *for the no-zfs build only*. This overlay is only
added when evaluating the iso, nothing else.
Pin the `nixpkgs` registry entry to the *filtered* nixpkgs source to
avoid copying the entire `.git` directory to the ISO when building
from a local checkout.
Also set `to` directly instead of the `flake.outPath` hack.
This is done for sd-images only here, but should probably also be done
for dvd-images.
The --invariant arg should be a better way of making mkfs.vfat deterministic.
The previous version of invoking faketime was building fine and reproducible
when I was compiling an sdimage for aarch64 under emulation.
It was however still logging errors:
ERROR: ld.so: object '/nix/store/1c2cp2709kmvby8ql2n9946v7l52nn50-libfaketime-0.9.9/lib/libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/nix/store/1c2cp2709kmvby8ql2n9946v7l52nn50-libfaketime-0.9.9/lib/libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
The logged errors were presumably inaccurate somehow as calling
faketime was required for reproducibility, even though the log makes it
looks like it failed.
Within #193485 (and the previous changes) the internal structure of the
testing driver was changed. Since then, `makeTest` returns the
attributes for the VM test(s) (including `driverInteractive`) inside a
sub-attribute called `test`, so without this change running
`nixos-build-vms` would fail like this:
error: attribute 'driverInteractive' missing
Move already implemented functionality to the upper level so
it could be used in a more generic way.
Signed-off-by: Ivan Nikolaenko <ivan.nikolaenko@unikie.com>
this mostly means marking options that use markdown already
appropriately and making a few adjustments so they still render
correctly. notable for nftables we have to transform the md links
because the manpage would not render them correctly otherwise.
This is image media, so use the override level designed for it. As
detailed in the definition for mkImageMediaOverride:
> image media profiles can be derived by inclusion into host config,
> hence needing to override host config, but do allow user to mkForce
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.
only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
The `nixos-rebuild` tool calls `get-version-suffix` to figure out the
git revision of the nixpkgs directory if there is a .git.
https://nvd.nist.gov/vuln/detail/CVE-2022-24765 made git throw an
error if the .git search logic is not turned off and a user
tries to access a `.git` directory they don’t own (otherwise a
different user could trick them into setting arbitrary git config).
So from now on we should always explicitely set `--git-dir`, which
turns this search logic (and thus the security check) off.
The substr solution assumed a newline to be present.
The new solution will not remove the newline if it goes missing in the future.
Apparently this is idiomatic perl.
Thanks pennae for the suggestion!
`nixos/modules/installer/kexec/kexec-boot.nix` doesn't contain any
custom NixOS config, other than importing `netboot-minimal.nix` (which
imports `netboot-base.nix`, which imports `netboot.nix`.
`netboot.nix` really is just describing a self-contained system config,
running entirely off kernel and initrd, so we might as well move the
kexec script generation there as well.
`netboot.nix` already contains some `system.build` attributes.
Provide a `system.build.kexecTree` attribute (and `kexecScript` for
composability).
Previously, `makeInitrd` added the whole closure of the squashfs
derivation to initrd.
This closure contains the squashfs.img and some store paths which are
still referenced by the compressed squashfs.img.
These extra store paths are unused in stage 1.
With `makeInitrdNG` only the squashfs.img is added to the initrd.
(`makeInitrdNG` only resolves shared library references instead of the
whole closure).
This shrinks the netboot ramdisk by ~6% for a minimal system and
significantly decreases the size of the uncompressed root filesystem
in stage 1.
Very confusingly, the `isPowerPC` predicate in
`lib/systems/inspect.nix` does *not* match `powerpc64le`!
This is because `isPowerPC` is defined as
isPowerPC = { cpu = cpuTypes.powerpc; };
Where `cpuTypes.powerpc` is:
{ bits = 32; significantByte = bigEndian; family = "power"; };
This means that the `isPowerPC` predicate actually only matches the
subset of machines marketed under this name which happen to be 32-bit
and running in big-endian mode which is equivalent to:
with stdenv.hostPlatform; isPower && isBigEndian && is32bit
This seems like a sharp edge that people could easily cut themselves
on. In fact, that has already happened: in
`linux/kernel/common-config.nix` there is a test which will always
fail:
(stdenv.hostPlatform.isPowerPC && stdenv.hostPlatform.is64bit)
A more subtle case of the strict isPowerPC being used instead of the
moreg general isPower accidentally are the GHC expressions:
Update pkgs/development/compilers/ghc/8.10.7.nix
Update pkgs/development/compilers/ghc/8.8.4.nix
Update pkgs/development/compilers/ghc/9.2.2.nix
Update pkgs/development/compilers/ghc/9.0.2.nix
Update pkgs/development/compilers/ghc/head.nix
Since the remaining legitimate use sites of isPowerPC are so few, remove
the isPowerPC predicate completely. The alternative expression above is
noted in the release notes as an alternative.
Co-authored-by: sternenseemann <sternenseemann@systemli.org>
Installing Firefox is a good example for a package that could be
installed as a user, since it is a graphical one.
Also use thunderbird as a second example.
Currently we're still using scripted networking by default. A problem
with scripted networking is that having `useDHCP` on potentially
non-existing interfaces (e.g. an ethernet interface for USB tethering)
can cause the boot to hang.
Closes#107908
